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I In their paper [S], P. Paillier and J. Villar make a conjecture about the 

^ ■ malleability of an RSA modulus. In this paper we present an explicit algo- 

1— I, rithm refuting the conjecture. Concretely we can factorize an RSA modulus 

I I n using very little information on the factorization of a concrete n' coprime 

^ ' to n. However, we believe the conjecture might be true, when imposing some 

. extra conditions on the auxiliary n' allowed to be used. In particular, the 

(<~^ I paper shows how subtle the notion of malleability is. 
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^ '. 1 Introduction 

> ■ 

^ ' The existence of a tradeoff between one-wayness and chosen ciphertext security dates 

■ back to the eighties when, for example, it was observed in [lOl [HI H] . In some sense, 
one cannot achieve one-way encryption with a level of security equivalent to solve 
certain difficult problem, at the same time as the cryptosystem being IND-CCA se- 
cure respect to it. This so called paradox has been attempted to be formally proved 
many times, by a number of authors, since first observed. However no one succeeded 
until very recently, when Pailler and Villar (cf. [9]) clarified the question for the 
case of factoring-based cryptosystems. In particular, they give precise conditions 
for certain security incompatibilities to exist. More precisely, they reformulate the 
paradox in terms of key preserving black-box reductions and prove that if factoring 
can be reduced in the standard model to breaking one-wayness of the cryptosystem 
then it is impossible to achieve chosen-cyphertext security. As the authors mention 
in their paper (cf. [9]), combining this result with the security proofs contained in 
[21 [3] gives a very interesting separation result between the Random Oracle model 
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and the standard model. 

Moreover, assuming an extra hypothesis, which they call "non-malleability" of 
the key generator, they are able to extend the result from key preserving black box 
reductions to the case of arbitrary black box reductions. 

Hence, as the authors themselves stress in |9], it is very important to study non- 
malleability of key generators. In fact, they conjecture that most instance generators 
are non- malleable, but no arguments are given to support this belief. The goal of 
this note is to shed some light on this open question. 

Actually, the notion of non-malleability captures a very basic fact in arithmetic: 
intuitively, one tends to believe that the problem of factoring a given number n 
(an RSA modulus) is not made easier if we know how to factor other numbers n' 
relatively prime to n. The random behavior of prime numbers, observed many times 
in the literature, suggests that if the numbers n' are randomly selected their fac- 
torization is useless for the problem of factoring n. However this might not be so 
relevant to malleability because we have the freedom to select cleverly the additional 
numbers n' . 

Indeed, the result contained in this note goes against the non-malleability intu- 
ition, thus showing how subtle this notion is. Concretely, for any number n we are 
able to prove the existence of a polynomial time reduction algorithm from factoring 
n to factoring certain explicit numbers n', all relatively prime to n. In other words, 
we show that factoring is, in this generality, a malleable problem. 
Let us stress that this might be compatible with the conjecture of p] mentioned 
above because imposing extra conditions on the numbers n' may result in transform- 
ing the problem in a non-malleable one. In fact, it is our belief that malleability is 
a notion that depends strongly of these kind of extra conditions, and hence requires 
further research. 



2 The algorithm 

Given an RSA modulus n = pq, we want to find n' such that factoring n', with 
the help of an oracle, will allow us in finding the factorization of n. In fact we will 
only need very partial information about the factorization of n' in order to get the 
complete factorization of n. From now on, and without loose of generality, we will 
make the assumption that p < q. 
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2.1 A particular case 

By construction, (which will be clear in a moment), it turns out that the particular 
case in which n is such that 2^~^ ^ 1 (mod q) or 2'^"^ ^ 1 (mod p) is somehow 
simpler and we will dedicate this section to it. However, the whole idea of the 
method will arise in this case and so the general one, considered in the next section, 
will be very similar. Wc consider n' = 2" + 1. Observe that an efficient encoding of 
n' of size comparable to n is available since all these numbers in binary form have 
a 1 at the beginning and end, and the rest are precisely n — 1 zeros. Let us assume 
the existence of an oracle O which, on input n', returns the residue class modulo 
n of three prime factors r\n'. In fact, the only thing we need is the residue class 
of just one factor of n' modulo n different from 1 and 3 so, if convenient, one can 
admit an oracle answering any set S C {r (mod n) : r prime ,r\n'}, S % {1,3} 
and polynomial size. We now present an algorithm which on the input and RSA 
modulus n in the conditions of this section, outputs a nontrivial factor of n. 

Algorithm 1 

• Send n' — 2'^ + 1 in binary form to O. 

• Take r & S , r ^ 1,3, and compute d = {r — l,n). 

Theorem 1 Let n = pq be and RSA modulus such that either 2^'^ ^ 1 {mod q) or 
^ 1 (mod p). Then the number d given by the previous algorithm, in polynomial 
time in \ogn, is a prime divisor of n. 

Proof: The first thing we have to prove is that there exists a set S satisfying the 
conditions of the algorithm. In order to do so we have to prove that at least one 
prime factor of n' is not 1 or 3 modulo n. Suppose r is a prime factor of n' . Then, 
2^" = 1 (mod r) and so, either r = 3 which always divides n', or the order of 2 in 
F* is ordr(2) = p,q,2p,2q,pq or 2pq. In this case we just have to recall that the 
order of any element must divide the order of the group to conclude that either 
p| (r — 1), q\{r — l) or n| (r — 1). Note, on the other hand that 9 never divides n' since 
n = ±l (mod 6) and so 2" = 2 or 5 modulo 9. Hence, If n\ (r — 1) for any r |n'/3, then 
each factor of n'/3 is 1 modulo n and so n' /3 = 1 (mod n) which is the same as saying 
2n-i ^ ^ (mod n). This is impossible since in particular 2"~^ = 2^^^ (mod q) and 
2n-i ^ 2^^i (mod p). Hence there exists ro|n' such that tq ^ 1 (mod n). Observe 
also that any such factor verifies ro = 1 (mod p) or ro = 1 (mod q) and, in particular. 
To ^ 3 (mod n) . 

■ 

The previous algorithm would work, in particular, for any modulus n = pq such 
that {p~l, q — 1) = D is small, for example D < log2(n). Indeed, if 2^~^ = 1 (mod q) 
and 2'^~^ = 1 (mod p), then 2^ = 1 (mod n) which is impossible for D < log2(n). 
This fact leads to the interesting observation that even the probability that D > 
log2(n) tends to zero with n. This is the content of the following proposition 
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Proposition 2 For any positive z we have 

(log log 



E 1^ 



2<p,q<22 
(p-l,i3-l)>log z 



log z J log z 



where the sum runs over the prime numbers in the interval. 

Remark: Before proving the proposition, let us observe that we just have to use 
the Prime Number Theorem to obtain 'Yliz<pq<2z^ ~ (-^/logz)^ and hence, the 
probability of finding a pair of primes in the interval [z, 2z\ which do not satisfy the 
conditions in Theorem [1] tends to zero faster than (log log 2;)^/ log z. Also note that 
even if (p — 1, g — 1) would be big, we still would need 2 to have order D modulo 
p and modulo q which one expects to be false for many pairs of primes by Artin's 
conjecture, (cf. [8j). 

Proof of Proposition [2l Given a positive z big enough, let 

Ti{d]z)= ^ 1. 

p=l(mod d) 
z<p<2z 

Then, the number of pairs of primes z < p,q < 2z such that (p — — 1) = d > log z 
is bounded above by 

E E l< E ^(^;^)'+ E Ad;zf = S^ + S2, 

\ogz<d<z p,q=i(mod d) \ogz<d<z'^ z'^KdKz 

2 <g<p<22 

for any < a < 1. For the second term we get trivially the bound 5*2 < 4z'^~^". 
To estimate Si let us first introduce the following useful notation. We will write 
E{d] z) = TT{d; z) — z/{(f{d) log 2;), as the error in the approximation of the number 
of primes in the congruence 1 modulo n by the total number of primes divided by 
the number of congruences. Then, 

log z<d<z°' ^T-v / o 
^ ° ^ log2<d<22'^^ ^ log z<d<z°' log z<d<z°'^^ ' ^ 

We can use now Cauchy-Schwartz inequality to get, for the last sum above 

log z<d<z'^^^ ' ^ \log2<d<2" VT-v / o / y \log2<d<2°' 

(1) 

We are in the correct position to use the Barban-Davenport-Halberstam Theorem 
for primes in artihmetic progressions, (cf. page 421, [7]), which we now include for 
convenience. 
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Theorem 3 (Barban-Davenport-Halberstam) We have 

J2 {E{d;z) f <^zy {log z)^, 

for any A> and e > Q, where the implied constant only depends on A and e. 

Substituting the above inequahty in 5*1, putting A = Aande =1/4, and using ([T]) we 
get for some constant C 



1/2 



/ z Y ^ ^_ Cz' Cz I ^ _^ 

To finish the proof of the Proposition we just have to note that 

^{d) = d - 1/p) > d - 1/p) > Cd/logd, 

p\d p<d 

by Mertens Theorem (cf. p. 34, [7]) and so 

V- 1 ^ ^ V- /logc^y (loglogz)2 

for some constants C,Ci. The resuh foUows. 
2.2 The general case 

For a few pairs of primes, it could happen that the order of 2 in F* and F* was a 
divisor of D and, in that case, 2" is indeed 2 modulo n which could make Algorithm 
[1] fail. To avoid this problem, instead of 2, we will choose a primitive root of F*, 
g, to build our test number n' = g"' + 1. It is very easy to see that the number of 
primitive roots of F* is 0(g — 1), hence, the probability for an integer m to be a 
primitive root verifies 



n >n 



p\(q-l) ' p<q 

again by Mertens theorem. In other words, a set of size C log q of integers contains 
a primitive root modulo q with probability as close to one as we want, making the 
constant C big enough. To see this, note that the probability for a random set of 
this size to contain no primitive roots would be (1 — l/(e''' logg))*" ~ e~'^^^~^ . 
In this sense Bach, in [T], made a much more accurate heuristic argument to claim 
that the least primitive root modulo p, which we will call giji) should verify g{j)) < 
e'''logp(loglogp)^(l + e) for almost all p. Although this fact is not yet proved, there 
are conditional results which certify the truth of the statement. In particular we will 
mention the following result of V. Shoup in [12] proved under the Grand Riemann 
Hypothesis, GRH from now on. 
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Theorem 4 (Shoup) Let p he a prime and denote g{p) as the least positive integer 
which is a generator o/F*. Then, if GRH is true, g{p) = 0((log]9)^). 

Observe that, ahhough far from the expected resuh, g{p) = 0((logp)^) is still of 
polynomial size and, hence, good enough for our purposes. It is worth mentioning 
that Heath-Brown was able to prove in [5] that among 2, 3, 5 there is a primitive 
root for infinitely many primes p. Let us now describe the algorithm. 

For convenience we will call c G {0, the binary encoding of 2" + 1. We 

will take advantage of the fact that the m-ary representation of the numbers m" + 1 
is always c, independent of m. Let n'^ = m" + 1 and consider the function uj{n) 
counting the number of distinct prime factors of n. Assume the existence of an oracle 
O which, on input (c, m), returns a set of residue classes S of size 15"! = u{m) + 2 
when such a set S exists, and otherwise returns _L. Again, the only thing we need is 
the residue class of just one factor of modulo n different from 1 and the classes 
of the prime divisors of m-|- 1. Hence, if convenient, we can consider the set S to be 
of polynomial size such that S G {r (mod n) : r prime ,r\n'^}, S ^ Sm U {1} where 
Sm = {f (mod n) : r prime ,r|(m + 1)}. The following algorithm on the input of 
an RSA modulus n outputs a nontrivial factor of n. 

Algorithm 2 

1. m = 2 

2. Send (c,m) to O. 

3. If S m = m + 1 and go to (2). Else, 

4- Take r E S , r ^ {1}, and compute d= {r — l,n). 

Theorem 5 Let n = pq he an RSA modulus. If GRH is true then the Algorithmic 
runs in polynomial time and the numher d given hy it is a prime divisor of n. 

Proof: By Theorem H] we can assume that m is a primitive root modulo q, at a 
polynomial time cost. Then m^~^ ^ 1 (mod q), since p < q. Hence, in a similar 
way as in the proof of Theorem [T] we have to prove that a certain prime factor r of 
n'^ belongs to a residue class modulo n not in Sm U {!}. We will use the following 
straightforward lemma. 

Lemma 6 Let n he an RSA modulus. For any integer m, such that (m + = 1 
we have ((m" + l)/(m + 1), m + 1) = 1. 
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Proof: Observe that if r|(m + 1), then 



n~l n—1 

(m" + l)/(m + 1) = ^^(— m)-' = 1 (mod r) = n (mod r) . 
j=o j=0 

■ 

Now, analogously to what we did in the proof of Theorem [H if r\n'^ then m^" = 
1 (mod r), and so ordr(m) = 2,p, q, 2p, 2q,pq or 2pq and clearly ordr(m) 7^ 2 for any 
r a prime factor of (m" + l)/(m + 1). To see this use Lemma El and observe that 
if r|(m — 1) then m" + 1 = 2 (mod r). Hence, as in the previous section, for any 
r\{m'^ + l)/(m + 1) then either p\{r — 1), q\{r — 1) or n|(r — 1). If r = 1 (mod n) 
for any r|(m" + l)/(m + 1) then m"^^ = 1 (mod n), which is impossible for m a 
primitive root modulo q since m"~^ = m^~^ (mod g). The proof of the theorem 
concludes as in Theorem [TJ 
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